Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: connect redis with AWS IAM #7189

Merged
merged 11 commits into from Mar 22, 2024
Merged

proxy: connect redis with AWS IAM #7189

merged 11 commits into from Mar 22, 2024

Conversation

khanova
Copy link
Contributor

@khanova khanova commented Mar 20, 2024
edited

Problem

Support of IAM Roles for Service Accounts for authentication.

Summary of changes

  • Obtain aws 15m-long credentials
  • Retrieve redis password from credentials
  • Update every 1h to keep connection for more than 12h
  • For now allow to have different endpoints for pubsub/stream redis.

TODOs:

  • PubSub doesn't support credentials refresh, consider using stream instead.
  • We need an AWS role for proxy to be able to connect to both: S3 and elasticache.

Credentials obtaining and connection refresh was tested on xenon preview.

https://github.com/neondatabase/cloud/issues/10365

Checklist before requesting a review

  • I have performed a self-review of my code.
  • If it is a core feature, I have added thorough tests.
  • Do we need to implement analytics? if so did you add the relevant metrics to the dashboard?
  • If this PR requires public announcement, mark it with /release-notes label and add several sentences in this section.

Checklist before merging

  • Do not forget to reformat commit message to not include the above checklist

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 20, 2024
edited

2706 tests run: 2574 passed, 0 failed, 132 skipped (full report)

Code coverage* (full report)

  • functions: 28.2% (7208 of 25591 functions)
  • lines: 46.7% (44244 of 94675 lines)

* collected from Rust tests only

The comment gets automatically updated with the latest test results
5d5cc34 at 2024-03-21T13:56:47.891Z :recycle:

@khanova khanova marked this pull request as ready for review March 20, 2024 18:44
@khanova khanova requested a review from a team as a code owner March 20, 2024 18:44
@conradludgate
Copy link
Contributor

Code is rather complex but it seems ok. I don't see anything inherently wrong. How do we plan to roll this out safely?

@khanova
Copy link
Contributor Author

khanova commented Mar 21, 2024
edited

Code is rather complex but it seems ok. I don't see anything inherently wrong. How do we plan to roll this out safely?

Right now we don't have regional redis anywhere except the preview (and even with the preview it's a bit tricky).

Once we have setup on staging, we could enable it there.

For now I suggest the following plan:

  1. Merge
  2. Add helm-values
  3. Check with the preview in full proxy and cplane setup.

@khanova khanova merged commit 6770ddb into main Mar 22, 2024
53 checks passed
@khanova khanova deleted the proxy-aws-irsa-auth-for-elasticache branch March 22, 2024 08:38
conradludgate added a commit that referenced this pull request Mar 22, 2024
@conradludgate
Revert "proxy: connect redis with AWS IAM (#7189)"
d41db8c 
This reverts commit 6770ddb.
@conradludgate conradludgate mentioned this pull request Mar 22, 2024
Closed
@arpad-m arpad-m mentioned this pull request May 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conradludgate conradludgate conradludgate approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@khanova @conradludgate